Security: Is it really necessary? Does it justify the cost? Or is it all FUD? (Pt. 1)

Security is a tricky subject; you get people who push for security and other who claim that it is all a waste of money. What is the truth? Is security really worth the investment? Will organizations get something in return for the money they spend securing their infrastructure or is it all a ploy by vendors of security products who try to scare people in buying products they do not really need?

The answer to these questions is never clear cut – it obviously varies from company to company and it depends on a number of factors.

Let’s start with a brief overview of what an organization needs to defend. Again this is subjective to each appropriate case but generally it includes a standard number of things. At the highest level you have the physical and the virtual. The physical is pretty straightforward – you have the building, equipment, tools and everything else tangible. Virtual property includes intellectual property, accounts information, operating environment, network infrastructure and other data stored in your IT environment.

Securing the Physical and the Virtual involves the same basic steps. One starts with a risk assessment. Where are my weak points? What kind of attacks am I expecting? How much can I afford to spend to mitigate a particular risk? Once again the answer to this varies according to the individual organization. If you’re a bank which has a certain amount of money stored in the building at all times, it makes sense to worry about people breaking in through all kinds of possible entries be it the roof, basement and even the sewers. On the other hand if you run a sweet shop, securing against people infiltrating the store through the roof after climbing down ropes from helicopters might be going a bit overboard.

Identifying the variables

First step is to understand what we’re dealing with. The Physical and the Virtual have slightly different variables and dynamics. Taking into account the example above, why wouldn’t a sweet shop worry about people climbing down from helicopters to raid the shop? It’s because it is easy to realize that thieves with those kinds of resources and tactical expertise will not bother with something as small as a sweet shop and it’s a fair assumption to make; however, is that also true in the virtual world as in the physical world? Not in all cases. To understand this better we need to consider our possible attackers. We can experience three different kinds of attacks essentially.

Targeted Attacks

Un Targeted (Random) Attacks

Insider Attacks

Targeted attacks, as the name implies, are attacks launched at a particular target. These attacks would be what in the physical world you would expect from thieves with helicopters. They will have a particular target in mind; they won’t roam around in their helicopter and attack the first target of opportunity.

Untargeted attacks are attacks which seek someone vulnerable. Here the attacker doesn’t really care about who gets hit, in fact in most cases the attacker wouldn’t even be aware who he is hitting. In this type of attack the attacker will simply scan random portions of the internet for someone vulnerable and attack any potential victims that are located.

Insider attacks are the most problematic. Targeted attacks are insidious because the attacker will spend time trying to break through your security and he is intent on succeeding. Chances are that targeted attackers will also be more knowledgeable. Random non targeted attacks are less insidious in that most likely the attacker will try a couple of attacks and if they fail s/he will move on. In most cases the probing around will also be done by a script with no human monitoring whatsoever. However random attacks are more likely to occur because by their nature they are constantly running looking for victims. Each computer connected to the internet will experience plenty of such probes. It doesn’t matter how big your business is because the person launching the attack has no knowledge of that. Being a behemoth like Toyota or small like the little corner shop will make no difference (well except that Toyota will have a much larger footprint on the internet than a little corner shop, but apart from that, for this type of attack, they’re identical). Insider attackers are the worst because they basically inherit the worst parts of targeted and random attacks. Insider attacks are targeted at you specifically and will persist until they succeed or are stopped in most cases.

About the Author: Emmanuel Carabott

Emmanuel Carabott (CISSP) Certified Information Systems Security Professional has been working in the IT field for the past 18 years. He has joined GFI in 1999 where he currently heads the security research team.
Emmanuel is also a contributor to the GFI Blog where he regularly posts articles on various topics of interest to sysadmins and other IT professions focusing primarily on the area of information security.